®

written byDoug Daniels

Applications and Database ManagementQuest Software, Inc.

White Paper

Sarbanes-Oxley andthe PeopleSoft FinancialManagement Blueprint:Is it enough for Compliance?

© Copyright Quest® Software, Inc. 2005. All rights reserved.

The information in this publication is furnished for information use only, does not constitute a commitment from Quest Software Inc. of any features or functions discussed and is subject to change without notice. Quest Software, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication.

Last revised: June 2005

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 3

TABLE OF CONTENTS

IS IT ENOUGH FOR COMPLIANCE? .......................................................................................... 4 EXAMINING THE GAPS IN THE SINGLE INSTANCE SOLUTION FOR SECTION 302 COMPLIANCE.......... 5 MAPPING AND DOCUMENTING BUSINESS PROCESSES FOR SECTION 404 COMPLIANCE ................. 6 SECTION 409 COMPLIANCE MAY REQUIRE HIGH AVAILABILITY...................................................... 8 COMPLIANCE REQUIRES A HOLISTIC APPROACH .......................................................................... 9

ABOUT THE AUTHOR ............................................................................................................... 10 ABOUT QUEST SOFTWARE, INC. ........................................................................................... 11

CONTACTING QUEST SOFTWARE ............................................................................................... 11 TRADEMARKS............................................................................................................................ 11

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 4

IS IT ENOUGH FOR COMPLIANCE?

In mid-2002, PeopleSoft released a may not represent a complete firm will require. Achieving Financial Management Blueprint (www.peoplesoft.com/media/ en/pdf/sarbanes_oxley.pdf) outlining compliance for the Sarbanes-Oxley Act of 2002 (aka Sarbox). This blueprint addresses the sections of the law that directly affect IT operations – Sections 302, 404, and 409. While this blueprint represents an important first step in compliance, IT organizations should be aware that PeopleSoft’s approach may not represent a compliance solution. Indeed, software alone will not bring firms into compliance by June 15, 2004, the new date issued by the SEC for Sarbox compliance of Section 404.

As financial systems represents the logical place to begin Sarbox compliance initiatives, now is the time to understand what PeopleSoft is giving you out of the box and what other tools and services your firm require. Achieving compliance will require a combination of business discipline “PeopleSoft’s approach may not represent a complete compliance solution.” and software applications that support that discipline.

“PeopleSoft’s approach may not represent a complete compliance solution.”

In this article we examine the PeopleSoft financials packaged application as one example of a vendor’s out-of-the-box solution for Sarbox compliance. We examine the gaps in this compliance regime as implemented by PeopleSoft and possible solutions a firm can implement to fill these gaps with minimal expenditure and exposure. Indeed, since most of the large Packaged Enterprise Applications vendors are similar across their capabilities and functionality, organizations may apply the lessons learned from PeopleSoft to other financial solutions from Oracle, SAP, or even in-house developed applications.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 5

Examining the Gaps in the Single Instance Solution for Section 302 Compliance

Section 302, effective August 29, 2002, spells out the certification process for company officers and their liability under the law. Under Section 302, executives must certify under penalty of incarceration that their financial statements represent the truth and that the executive has evaluated the internal controls that produced the financial statement in the last 90 days.

Figure 1: Financial Management Blueprint

PeopleSoft’s Financial Management Blueprint addresses the Section 302 requirement with its single instance capability. PeopleSoft cites “Global Consolidation” of disparate financial data into the single PeopleSoft Financials repository as the primary method by which to bring customers into compliance with Section 302. That is, if all financial data resides in a single PeopleSoft Financials instance, reporting should be seamless and easy. This ‘single view of the truth’ approach is a good beginning for customers actually running a single instance of PeopleSoft Financials for all of their financial reporting needs. For multinational customers running multiple instances and customers running heterogeneous financials packages across various departments or geographies, however, the single instance story will not produce compliance. Instead, firms will need to look to business intelligence solutions, report management solutions, and composite applications to bring together disparate data into relevant consolidated reports.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 6

“...firms will need to look to business intelligence solutions, report management solutions, and composite applications...”

Furthermore, PeopleSoft cites its Portal offering as a method by which to implement auditable and repeatable financial reporting processes under Section 302. The PeopleSoft Investor Portal and the PeopleSoft CFO Portal are both cited in the financial blueprint as a means to route, manage, and approve financial statements for distribution to the SEC. While this solution provides the mechanism by which to implement executive sign off, it doesn’t address the underlying issues of data and system integrity or report availability. Even the most advanced approval mechanisms are no substitute for accurate system control and the ability to produce the report on demand. Firms should look to hot back up systems or consolidated report warehouses to provide on-demand reporting capability as well as implementing and enforcing strict controls and processes on all access and changes made to the underlying PeopleSoft Financials system and the financial reports it produces.

In a nutshell, PeopleSoft does a decent job of providing an embedded compliance solution for Section 302. But, firms should examine the gaps inherent if they are not running a single instance and place tighter processes and controls on access and changes made to all instances.

Mapping and Documenting Business Processes for Section 404 Compliance

Section 404, which provides for “Internal Controls”, is by far the most important to IT managers and employees as it speaks directly to the underlying control systems such as PeopleSoft Financials. Section 404, effectively requires public firms to ‘establish and maintain internal control structures and procedures for financial reporting’ and ‘report on the effectiveness of the internal control structure’. This broad language has been the focus of most debate around the intersection of IT and Sarbox compliance.

The PeopleSoft financial management blueprint provides support for Section 404 by complying with The Hackett Group’s financial best practices model. The Hackett Group is an independent best practices research firm that has certified PeopleSoft’s financial management solutions version 8.4 as complying with GAAP and other international accounting standards organizations. This essentially means that PeopleSoft Financials’ internal business logic is in line with accepted accounting procedures. Furthermore, PeopleSoft cites a variety of bells and whistles to assist with Section 404 including workflow, scorecards, and key performance indicators to assist organizations with control visibility.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 7

While PeopleSoft customers can be certain that once their business process enters the PeopleSoft system they are in nominal accounting compliance, the financial blueprint is conspicuously silent on auditing the system itself and on auditing business processes that are not wholly contained within the PeopleSoft system. Indeed, much of the debate around Section 404 centers on business process auditing, process documentation, and ‘auditing the audit system’ for structural and other changes.

Astute IT organizations should monitor the 404 debate closely; the extended deadline to June 15, 2004 is a direct reflection of the confusion currently surrounding Section 404 compliance. At the heart of the issue are business processes, particularly those that extend partially outside the PeopleSoft environment as well as those processes that affect or change the internal business logic of the PeopleSoft financials reporting system itself. Locking down and auditing changes to the base financials product is good practice in any environment – under Sarbox it becomes the law.

“Firms should look to hot back up systems or consolidated report warehouses to provide on-demand reporting capability...”

To audit and report on such cross-system business processes, firms should look to implement strict change control processes as well map out their business processes that extend beyond the PeopleSoft environment. For example, if your order-to-cash process involves other applications such as Siebel to capture sales orders that are then fed into PeopleSoft financials, look for ways to capture the Siebel process action in a reportable and auditable manner. Finally, begin auditing all changes made to the PeopleSoft Financial system so at quarter’s end you can easily produce a document of all changes made to the business logic. For example, if you change the rate of amortization for a certain asset class in the underlying business logic, you should record that change and publish it as part of your report to your compliance officers. It is crucially important that IT managers implement a consistent, repeatable methodology to ensure that their controls continue to be effective even after they are documented and implemented.

In sum, PeopleSoft Financials provides the business logic component to comply with Section 404 but firms will need to invest in projects to map and document their business processes and changes made to these processes. Implementing strict change control processes to business processes is a must for large and medium organizations facing compliance. IT organizations should look to change management products as well as workflow vendors and service organizations for assistance in rounding out their Section 404 compliance strategy.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 8

Section 409 Compliance May Require High Availability

Section 409 of Sarbox stipulates that firms must provide for “real time disclosure” of any changes to financial condition or operations including timely distribution of relevant SEC reports such as 10-K, 10-Q, and 8-K. The PeopleSoft financial blueprint again cites the Portal product as a means of Section 409 compliance. Using the role based capabilities in the PeopleSoft Portal, firms can create workflow driven processes for report “creation, approval and publication”. Furthermore, PeopleSoft Financials provides the ability to access and publish performance metrics and data to third parties or executives that must assess the state of the business.

On the surface, these embedded compliance tactics delivered by PeopleSoft are enough to satisfy the Section 409 requirement. However, firms should examine their exact requirements and determine if they are truly capable of real time reporting. Similar to the Section 302 requirement, this implies high availability of the reporting infrastructure. IT managers should examine how they generate their consolidated reports, in batch or real time, and the impact stricter reporting requirements will have on system availability and performance. Tuning report generation queries or eliminating them through consolidated storage outside the application itself is one logical place to start. Consider that the Section 409 requirement could force shops to run consolidated reports outside their normal run-time window, which could in turn affect operational performance. Large shops should consider a warehousing system or reporting instance to separate OLAP and other reporting activity from the operational OLTP system. Finally, this requirement is a good time to consider your backup and recovery plan in event of terror or natural disaster. If disaster strikes and the firm’s SEC reports are required the next day, what is the impact to the business?

“Tuning report generation queries or eliminating them... ...is one logical place to start.”

Most firms will find that PeopleSoft’s Financial Blueprint adequately addresses Section 409. However, firms should take heed that true real time reporting involves a report high availability strategy to ensure access to consolidated reports whatever the circumstances.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 9

Compliance Requires a Holistic Approach

It is important that firms assess the technological gap between their true compliance requirements and what PeopleSoft Financials can provide them. For example, the internal controls requirement in Section 404 may require implementation of business processes which require advanced routing and workflow processes, above those capabilities in PeopleSoft. Industry luminary Ray Lane espouses the coming era of “composite applications” residing “above” the packaged application layers already in place. Composing internal process controls and audits across relevant financial applications for Sarbox compliance may be the impetus to drive your organization toward such composite applications. And it is not apparent that business intelligence systems are enough. While these systems may provide the mechanism to consolidate and mine financial reports, oftentimes they do not include the workflow, approval or auditing capability required under the law. Finally, the reporting requirements will drive IT shops to take inventory of their current ability to capture, archive and deliver consolidated financial reports in real time.

While the PeopleSoft Financial Blueprint will make life with Sarbox easier on your firm, it should not be viewed as a panacea. Indeed, a good understanding of the business processes that drive your firm and a trusted third party auditor are perhaps even more critical to compliance than any single software package. Sections 302, 404, and 409 of Sarbanes-Oxley have significant implications for Peoplesoft financials customers. Companies should monitor the state of the PeopleSoft’s solutions for compliance and how completely the solution addresses their specific needs. The good news is that today the PeopleSoft financial management blueprint is being provided free to PeopleSoft customers. Firms should take advantage of this windfall and implement the financial blueprint before a strengthening economy allows PeopleSoft to charge organizations for compliance add-ons. Furthermore, firms should engage their corporate auditors early and often to determine the level of documentation, implementation, and follow up testing that auditors will demand. Finally, IT managers should attend PeopleSoft User Groups and industry events to learn more and keep abreast of the latest developments in Sarbox compliance. Such a holistic approach to compliance and a good understanding of the business will ultimately bring your firm into compliance with minimal expenditure and effort.

“The good news is that today the PeopleSoft financial management blueprint is being provided free to PeopleSoft customers.”

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 10

ABOUT THE AUTHOR

Doug Daniels (daniels@vp1online.com) is a Product Marketing Manager at Quest Software, Inc. He is responsible for developing and managing market strategy and messaging for Quest’s solutions. Daniels holds a Master of Information Systems and Bachelor of Arts in Economics from George Washington University.

**Special thanks to Katherine K. McAbee, Senior Associate at PriceWaterhouseCoopers, for her assistance in explaining Sarbanes-Oxley from an auditor’s perspective.

Sarbanes-Oxley and the PeopleSoft Financial Management Blueprint: Is it enough for Compliance? - Doug Daniels, Quest Software, Inc. 11

ABOUT QUEST SOFTWARE, INC.

Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest Software, headquartered in Irvine, Calif., can be found in offices around the globe and at www.quest.com.

Contacting Quest Software

Mail: Quest Software, Inc. World Headquarters 8001 Irvine Center Drive Irvine, CA 92618 USA Web site www.quest.com Email: info@quest.com Phones: 1.800.306.9329 (Inside U.S.) 1.949.754.8000 (Outside U.S.)

Please refer to our Web site for regional and international office information. For more information on other Quest Software solutions, visit www.quest.com.

Trademarks

All trademarks and registered trademarks used in this guide are property of their respective owners.